34

I am a bit confused as to why there is no Individual User Accounts authentication option in the latest ASP.NET Core Web API template.

Is it still possible to implement individual user accounts the way that the MVC template does or would it not make sense?

Let's say I am creating a stand-alone web API that is going to have all of my business logic and data layer that accesses the database which has the AspNet Identity tables. I plan on making calls to this API w/ an MVC app.

I know one way of doing this is to create an asp.net MVC app w/ individual user accounts auth and simply build the API right within the MVC app using a controllers/api folder. However, I don't want to do it this way because I want the API to be its own standalone project that can be hosted on a completely different server and accessed by multiple applications, not just an MVC app.

Can someone lead me in the right direction on how authentication typically works in this scenario since there is no template?

Blake Rivell
  • 10,899
  • 23
  • 93
  • 182
  • 5
    You can copy the relevant bits, but WebAPI and MVC are essentially one single API now. Only difference is that you don't have views and how the default route is configured. For WebAPI you usually don't want individual accounts as by default it has no means of creating accounts (which is built in MVC template). You likely want to use OAuth or OpenID authenticaiton for WebAPI rather than authenticating with username & password. Since ASP.NET Core doesn't offer any OAuth Server middleware anymore, you have to use OpenIddict or IdentServer4 for authorization – Tseng Dec 09 '16 at 14:14
  • 1
    So Indiviudual accounts are pointless in the WebAPI template – Tseng Dec 09 '16 at 14:14
  • 2
    @Tseng thanks for the answer. So what I am still not understanding is the following: Lets say my MVC app has a login form. That login form should be sending some sort of ajax request w/ Username and Password to the api for authentication and authorization right? Then the API responds and a cookie or something is set? I just want to make sure I am in the right mindset and on the right path. – Blake Rivell Dec 09 '16 at 14:29
  • Looking forward to see more development on this query. – Super Coder Feb 23 '17 at 19:42
  • @Tseng you say ASP.NET Core Identity individual accounts templates is pointless in ASP.NET Core WebAPI template since OpenID authentication would be used for WebAPI rather than authenticating with username & password but how can the choice of using WebAPI in the backend dictate user experience in a front end client. I have users that do not want to do not have an OpenId account with any existing OpenId providers, how do they authenticate? They should be able to register with a username and password shouldn't they? – Brian Ogden May 07 '17 at 23:59
  • @Tseng Why does Openiddict, a library for implementing a ASP.NET Core OpenId Connect Server have a password flow? https://github.com/openiddict/openiddict-samples/tree/master/samples/PasswordFlow Clearly OpenId and username/password are options of authentication for client applications, it is not one or the other, so saying the Individual Accounts templates are pointless in WebAPI does not make sense to me. – Brian Ogden May 08 '17 at 00:03
  • @BrianOgden: Bit off-topic, but identity registers cookie auth. the cookie auth middleware is configured to redirect you to a login page, when you are not logged in. This obviously doesn't work very well when you call from ajax, as you'd expect either a 401 or 403 response, not a 301/302 (redirect). And you don't need an account on some third party openid provider (such as google or facebook), you can host your own openid provider. Just not with ASP.NET Core shipped libraries, they only have authentication, but not jwt/token issuing. So you need openiddict or identserver 3/4 for it – Tseng May 08 '17 at 00:16
  • Also openiddict/identserver can issue tokens to the users, Identity can't (this functionality was there in identity 1 and 2, but was removed in the core verison of identity). This leaves you with the only option of issuing token is to use 3rd party solutions. Also password flow is not to be compared with login form. identity only issues you a cookie, while open id gives you an bearer token (access + refresh token), and it's only there for very specific cases and delegation should be used in most (more secure, since user do not have to hand password to the owner of the service) – Tseng May 08 '17 at 00:20
  • @Tseng Yes this makes sense, and maybe gives me some understanding as to way the ASP.NET Core Identity templates cannot be generated with a dotcore new webapi project. My thinking right is just that I want to allow a user to register a new account with username/password and use Web API on the backend to store the successfully created account, and allow the user to come back later and login with that username/password and it just seems like ASP.NET Core Identity is a good out of the box solution for that. – Brian Ogden May 08 '17 at 00:21
  • @Tseng, with the openiddict password flow, I need a db table or 3 to store account username and passwords and other account info, you are saying I implement those tables and their related C# models myself since I am using Web API because ASP.NET Core Identity is designed to work with an ASP.NET MVC Client correct? – Brian Ogden May 08 '17 at 00:25
  • @Tseng what still confuses me is that the openiddict password flow will issue a valid token if a valid username/password is provided, I know the sample is for ASP.NET Core MVC but there is no cookies be used in the openiddict password flow sample. The example issues tokens, and calls CheckPasswordAsync a method of ASP.NET Core Identity: https://github.com/openiddict/openiddict-samples/blob/master/samples/PasswordFlow/AuthorizationServer/Controllers/AuthorizationController.cs – Brian Ogden May 08 '17 at 00:33
  • @BrianOgden: No, OpenIddict itself uses Identity to validate the passwords and store the client secrets and application ids. But Identity alone is not sufficient for fully using WebAPI, because Identity alone is unable to generate bearer tokens (that will be passed with each request and can be refreshed **without** user reentering his credentials). Openiddict closes this gap + offers a basic ui/openid provider functionality. Password flow in openiddict is something completely different than login in identity. Identity sets a cookie, password flow gives you a bearer token – Tseng May 08 '17 at 00:34
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/143639/discussion-between-brian-ogden-and-tseng). – Brian Ogden May 08 '17 at 00:37
  • try vs 2017 preview: https://www.visualstudio.com/vs/preview/ It has this option – Alexan May 14 '17 at 15:58
  • @Alex Visual Studio 2017 has been released I believe, correct? – Brian Ogden May 14 '17 at 16:08
  • @BrianOgden, yes, but it absent in released version. Now they made preview for .NET Core 2.0 Preview 1 – Alexan May 14 '17 at 16:11

2 Answers2

10

Individual User Accounts authentication option for the ASP.NET Core Web API is available in .NET Core 2.0 Preview 1.

Unfortunately .NET Core 2.0 Preview 1 isn't available in VS 2017 release.

But you can install Visual Studio 2017 Preview (you can use it side-by-side with VS 2017 stable version) :enter image description here

Alexan
  • 6,893
  • 13
  • 69
  • 89
4

I think you can use IdentityServer4 which allows implementing single sign-on and access control for ASP .NET Core Web APIs using protocols like OpenID Connect and OAuth2. It offers integration with ASP.NET Core Identity and Entity Framework Core.

You will need to install to the following nuget package:

Install-Package IdentityServer4

and add the IdentityServer middleware to the HTTP pipeline:

app.UseIdentityServer();

You can find several quick start samples here or follow this article.

Mihaela Diaconu
  • 96
  • 3
  • 6
  • Yes, and you can use OpenIddict as well which is supposedly even simpler than IdentityServer4 and is built upon ASOS. This question though is basically asking why the ASP.NET Core Identity templates, like AccountController.cs are not available for a new ASP.NET Core Web API project. By not being available, contributors to ASP.NET Core seem to be saying that we do not see a use case for Identity in Web API which does not make sense to me if one is standing up an Authentication API that supports resource owner password credentials grant type – Brian Ogden May 14 '17 at 16:05
  • Whether OpenIddicit or IdentityServer4 or hand rolled, one might want to use Core Identity for resource owner password credentials grant type registration and subsequent logins support, in a Core Web API for Authentication – Brian Ogden May 14 '17 at 16:07